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Abstract. The Brezing-Weng method is a general framework to gen- 
erate families of pairing-friendly elliptic curves. Here, we introduce an 
improvement which can be used to generate more curves with larger dis- 
criminants. Apart from the number of curves this yields, it provides an 
easy way to avoid endomorphism rings with small class number. 
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1 Introduction 

Since its birth in 2000, pairing-based cryptography has solved famous 
open problems in public key cryptography: the identity-based key-exchange 
[11], the one-round tripartite key-exchange [9] and the practical identity- 
based encryption scheme [3] . Pairings are now considered not only as tools 
for attacking the discrete logarithm problem in elliptic curves [10] but as 
building blocks for cryptographic protocols. 

However, for these cryptosystems to be practical, elliptic curves with 
an efficiently computable pairing and whose discrete logarithm problem 
is intractable are required. 

There are essentially two general methods for the generation of such 
curves: the Cocks-Pinch method, which generates individual curves, and 
the Brezing-Weng method, which generates families of curves while achiev- 
ing better p-values. 

Our improvement extends constructions based on these methods by 
providing more curves with discriminants larger than what the construc- 
tions would normally provide (by a factor typically up to 10 9 given cur- 
rent complexity of algorithms for computing Hilbert class polynomials). 
In the Cocks-Pinch method the discriminant can be freely chosen so our 
improvement is of little interest in this case; however, the Cocks-Pinch 
method is limited to p ~ 2. To achieve smaller p- values, one has to use 
the Brezing-Weng method where known efficient constructions mostly 



deal with small (one digit) discriminants; our improvement then provides 
an easy and efficient way to generate several curves with a wide range 
of discriminants, extending known constructions while preserving their 
efficiency (in particular, the p- value). 

The curves we generate, having a larger discriminant, are possibly be 
more secure than curves whose endomorphism ring has small class number 
— even though, at the time of this writing, no attack taking advantage of 
a small class number is known. To say the least, our improvement brings 
a bit of diversity to families of curves as generated by the Brezing-Weng 
method. 

In Section 2, we recall the general framework for pairing- friendly el- 
liptic curve generation. Then, in Section 3, we present the Brezing-Weng 
algorithm and our improvement. Eventually, in Section 4, we study prac- 
tical constructions and their efficiency; we also present a few examples. 

2 Framework 

2.1 Security Parameters 

Let £ be an elliptic curve defined over a prime finite field ¥ p . We consider 
the discrete logarithm problem in some subgroup 7i of £ of large prime 
order r. In addition, we assume that r is different from p. 

For security reasons, the size of r should be large enough to avoid 
generic discrete logarithm attacks. For efficiency reasons, it should also 
not be too small when compared to the size of the ground field; indeed, 
it would be impractical to use the arithmetic of a very large field to 
provide the security level that could be achieved with a much smaller 
one. Therefore, the so-called p-value 

logp 

P ■= ] 

logr 

must be as small as possible. Note that, for practical applications, it is 
desirable that the parameters of a cryptosystem (here, p) be of reasonable 
size relatively to the security provided by this cryptosystem (here, r), 
which is precisely what a small p- value asserts. 

We wish to generate such an elliptic curve and ensure that it has an 
efficiently computable pairing, that is a non-degenerate bilinear map from 
TL 2 to some cyclic group. 
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Known pairings on elliptic curves, i.e. the Weil and Tate pairings, 
map to the multiplicative group of an extension of the ground field. By 
linearity, the non-degeneracy of the pairing (on the subgroup of order r) 
forces the extension to contain primitive r th roots of unity. Let ¥ p k be the 
minimal such extension; the integer k is called the embedding degree. It 
can also be defined elementarily as 

k = min{i G N : r | p % - 1} 

There are different ways of evaluating pairings, each featuring spe- 
cific implementation optimizations. However, all known efficient methods 
are based on Miller's algorithm which relies on the arithmetic of ¥ p k. 
Therefore, the evaluation of a pairing can only be carried out when k is 
reasonably small. 

In addition, the discrete logarithm problem must be practically in- 
tractable in both the subgroup of the curve and the multiplicative group 
of the embedding field. At the time of this writing, minimal security can 
be provided by the bounds 

log 2 r > 160 and klog 2 p > 1024 

However, these are to evolve and, as the bound on klog 2 p is expected 
to grow faster than that on log 2 r (because the complexity of the index- 
calculus attack on finite fields is subexponential whereas that of elliptic 
curve discrete logarithm algorithms are exponential) , we have to consider 
larger embedding degrees in order to preserve small p- values. 

2.2 Curve Generation 

In order to generate an ordinary elliptic curve with a large prime order 
subgroup and an efficiently computable pairing, we look for suitable values 
of the parameters: 

— p, the cardinality of the ground field; 

— t, the trace of the Frobenius endomorphism of the curve (such that 
the curve has p + 1 — t rational points) ; 

- r, the order of the subgroup; 

- k, its embedding degree. 

Here, "suitable" means that there exists a curve achieving those values. 
This consistency of the parameters can be written as the following list of 
conditions: 
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1. p is prime. 

2. t is an integer relatively prime to p. 

3. |t| < 2y/p. 

4. r is a prime factor of p + 1 — t. 

5. k is the smallest integer such that r \ p k — 1. 

By a theorem of Deuring [4], Conditions 1—3 ensure that there exists 
an ordinary elliptic curve over ¥ p with trace t. The last conditions then 
imply that its subgroup of order r has embedding degree k. 

When r does not divide k — which is always the case in cryptographic 
applications as we want k to be small (for the pairing to be computable) 
and r to be large (to avoid generic discrete logarithm attacks) — Condi- 
tion 5 is equivalent to r \ <&k (p), which is a much more handy equation; 
therefore, assuming Condition 4, it is also equivalent to 

r | <P k (t - 1) 

To retrieve the Weierstrass equation of a curve with such parameters 
using the complex multiplication method, we need to look at —D, the dis- 
criminant (which need not be squarefree) of the quadratic order in which 
the curve has complex multiplication. Indeed, the complex multiplication 
method is only effective when this order has reasonably small class num- 
ber. Due to a result of Heilbronn [8], in practice we ask for D to be a 
small positive integer. 

Writing the Frobenius endomorphism as an element of the complex 
multiplication order leads to the very simple condition 

3y e N, Ap = t 2 + Dy 2 

which ensures that — D is a possible discriminant. It is referred to as the 
complex multiplication equation. Note that, instead of being added to the 
list, this condition may supersede Condition 3 as it is, in fact, stronger. 

Using the cofactor of r, namely the integer h such that p+l—t = hr, 
the complex multiplication equation can also be written as 

Dy 2 = Ap-t 2 = Ahr - (t - 2) 2 

Note that if both the above equation considered modulo r and the 
"original" complex multiplication equation hold, we recover the equation 
that states that the curve has a subgroup of order r. 

Assuming p > 5, the third condition implies that p divides t if and 
only if t = 0; therefore, as p is expected to be large, we only have to check 
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whether t 7^ 0. This condition is omitted from the list below as it (mostly) 
always holds in practical constructions; bear in mind that it is required, 
though. 

Finally, we can summarize the requirements to generate a pairing- 
friendly elliptic curve; we are looking for: 



In practical computations, r may not necessarily be given as a prime. 
However, if r is a prime times a small cofactor, replacing it by that prime 
leads to the generation of a pairing- friendly elliptic curve without affecting 
much the p-value. Therefore, this slightly weaker condition is acceptable. 

3 Algorithms 

Let us fix D and k as small positive integers. The Cocks-Pinch method 
consists in solving the above equations to retrieve values of p, r, t and y; 
it proceeds in the following way: 

1. Choose a prime r such that the finite field F r contains \J—D and z, 
some primitive fc th root of unity. 

2. Put t = 1 + z and y = mod r. 



3. Take lifts of t and y in Z and put p = \ (t 2 + Dy 2 ) . 

This algorithm has to be run for different parameters r and z until the 
output p is a prime integer; then, the complex multiplication method can 
be used to generate an elliptic curve over ¥ p with p + 1 — t points, a 
subgroup of order r and embedding degree k. 

Asymptotically, pairing-friendly elliptic curves generated by this algo- 
rithm have p- value 2. 

3.1 The Brezing-Weng Method 

The Brezing-Weng method starts similarly by fixing small positive inte- 
gers D and k. Then, it looks for solutions to these equations as polyno- 
mials p, r, t and y in Q [x]. Once a solution is found, for any integer x, 
an elliptic curve with parameters (p (x) , r (x) , t (x) , y (x) , D, k) can be 
generated provided that p (x) and r (x) are prime and that t (x) and y (x) 
are integers. 



p, r primes 
< t, y integers 
k D, k positive integers 



' r I Dy 2 + (t- 2) 2 
such that < r \ <P k (t - 1) 
k t 2 + Dy 2 = 4p 
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To enable this, we expect polynomials p and r to have infinitely many 
simultaneous prime values. There is actually a very precise conjecture on 
the density of prime values of a family of polynomials: 

Conjecture 1 (Bateman and Horn [2]). Let fi,...,f s be s distinct 
(non- constant) irreducible integer polynomials in one variable with posi- 
tive leading coefficient. The cardinality of Rn, the set of positive integers 
x less that N such that the fi (x) 's are all prime, has the following asymp- 
totic behavior: 



where V denotes the set of prime numbers. 

The latter constant quantifies how much the fs differ from independent 
random number generators, based on their behavior over finite fields; it 
can, of course, be estimated using partial products. 

However, if we only need a quick computational way of checking poly- 
nomials p and r, we may use a weaker corollary, earlier conjectured by 
Schinzel [12] and known as hypothesis H, which just consists in assuming 
that the constant C (fi) is non-zero. Consider two polynomials, p and r; 
in that case, the corollary states that, provided that 



the polynomials p and r have infinitely many simultaneous prime values. 

Actually, there is a subtle difference with the polynomials we are deal- 
ing with here: they might have rational coefficients. However, we believe 
that the hypothesis of the above conjecture can be slightly weakened as 

gcd {p (x) r (x) : x £ Z such that p (x) 6 Z and r (x) G Z} = 1 

so to work with families of rational polynomials. Of course, we use the 
convention gcd = (in case there is no x such that both p (x) and r (x) 
are integers). 

Given small positive integers D and k, the Brezing-Weng method 
works as follows: 




when N — > oo, 



the constant C (/i, . . . , f s ) being defined as 




gcd {p (x) r (x) : x € Z} = 1 
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1. Choose a polynomial r with positive leading coefficient such that 
Q [x] I (r) is a field containing \J —D and z, some primitive fc th root of 
unity. 

2. Put t = 1 + z and y = Jr^ (represented as polynomials modulo r). 

3. Take lifts of t and y in Q [x] and put p = \ (t 2 + Dy 2 ) . 

This algorithm has to be run for different parameters r and z until the 
polynomials p and r satisfy the above conjecture. Then, we might be able 
to find values of x at which the instantiation of the polynomials yields a 
suitable set of parameters and thus generate an elliptic curve. 

To heuristically check whether p and r satisfy the above conjecture, 
we compute the gcd of the product p (x) r (x) for those x £ {l, . . . , 10 2 } 
such that p (x) and r (x) are both integers. If this gcd is 1, the hypothesis 
of the conjecture is satisfied; otherwise, we assume it is not. 

The main feature of this algorithm is that the p- value of the generated 
curves is asymptotically equal to therefore, a good p- value will be 

achieved if the parameters (D, k, r, z) can be chosen so that the polyno- 
mial p is of degree close to that of r. Because of the way p is defined, the 
larger the degree of r is, the more unlikely this is to happen. 

Such wise choices are rare and mainly concerned with small discrim- 
inants; indeed, when D is a small positive integer, \/—D is contained in 
a cyclotomic extension of small degree which can therefore be taken as 
Q [x] I (r), thus providing a r-polynomial with small degree. 

There exist a few wise choices for large D (cf. Paragraph 6.4 of [6]) 
but those are restricted to a small number of polynomials (p, r, t, y) and 
do not provide as many families as we would like. 

3.2 Our Improvement 

The key observation is that, if there exists an elliptic curve with param- 
eters (p,r,t,y, D,k), then for every divisor n of y there also exists an 
elliptic curve with parameters (p,r,t, ^y, Dn 2 , k). Note that this trans- 
formation preserves the ground field and the number of point of the curve, 
and therefore its p-v&lue. 

For one-shot Cocks-Pinch-like methods, this is of little interest since 
we could have set the discriminant to be —Dn 2 in the first place. How- 
ever, for the Brezing-Weng method where good choices of the parameters 
(D, k, r, z) are not easily found, it provides a way to generate curves with 
a wider range of discriminants with the same machinery that we already 
have. 
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This improvement works as follows: 

1. Generate a family (p, r, t, y, D, k) using the Brezing-Weng method. 

2. Choose an integer x such that p (x) and r (x) are prime, and t (x) and 
y (x) are integers. 

3. Compute the factorization of y (x). 

4. Choose some divisor n of y (x) and generate a curve with parameters 
(p (x) ,r(x),t (x) , ^y (x) , Dn 2 , fc) using the complex multiplication 
method. 

In Step 3, we do not actually have to compute the complete factor- 
ization of y(x). Indeed, n cannot be too large in order for the complex 
multiplication method with discriminant —Dn 2 to be practical. So, we 
only have to deal with the smooth part of y (x). 

However, to avoid efficiently computable isogenies between the original 
curve (with n = 1, as generated by the standard Brezing-Weng method) 
and our curve, n must have a sufficiently large prime factor [7]. Indeed, 
such an isogeny would reduce the discrete logarithm problem from our 
curve to the original curve. 

These constraints are best satisfied when n is a prime in some interval. 
Specifically, let D be fixed and consider prime values for the variable n; the 
complexity of computing the Hilbert class polynomial (with discriminant 
—Dn 2 ) is (n 2 ) [5] and that of computing the above-mentioned isogeny 
is G (n 3 ) [7]. 

Therefore, we recommend to choose a prime factor noiy {x) as large as 
possible among those n such that the complex multiplication method with 
discriminant —Dn 2 is practical, that is, the Hilbert class polynomial is 
computable in reasonable time. Given current computing power, n ps 10 5 
seems to be a good choice; however, to choose the size of the parameter 
n more carefuly, we refer to a detailed analysis of the complexity [5] . 

By a theorem of Siegel [13], when D is fixed, the class number of 
the quadratic field with discriminant —Dn 2 grows essentially linearly in 
n. Therefore, with n chosen as described above, the class number is ex- 
pected to be reasonably large. This helps avoiding potential (though not 
yet known) attacks on curves with principal or nearly-principal endomor- 
phism ring. 

A toy example. Let D = 8, k = 48 and r = ^ (the cyclotomic 
polynomial of order k). 

As x is a primitive k th root of unity in Q [x] / (r), put 

t(x) = l + x and ^D = 2 (x 6 + x 18 ) 
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The Brezing-Weng method outputs polynomials 

y {x) = - {-x 11 + x 10 - x 7 + x 6 + x 3 - x 2 ) and p = i (t 2 + Dy 2 ) 

and the degree of p is such that this family has p-value 1.375. 
For example, if x = 137 then 

p{x) = 12542935105916320505274303565097221442462295713 

which is a prime number and r (x) is a prime number as well. The next 
step is to factor y (x) as 

y (x) = -1 • 2 ■ 17 ■ 137 2 • 229 • 9109 • 84191 • 706631 

and n can possibly be any product of these factors. 

Take for instance n = 17, which results in discriminant —2312 with 
class number 16 (as opposed to class number one which would be provided 
by the standard Brezing-Weng method, i.e. with n = 1). The Weierstrass 
equation of a curve with parameters (p (x) , r (x) , t (x) , —y (x) , Dn 2 , kj is 
given by the complex multiplication method as 

Y 2 = X 3 + 935824186433623028047894899424144532036848777X 
+ 8985839528233295688881465643014243982999429660; 

this being, of course, an equation over ¥ p ^ x y 
4 Constructions 

We already mentioned that n should have a large prime factor. To increase 
chances for y to have such factors, we seek constructions where y is a 
nearly-irreducible polynomial, i.e. of degree close to that of its biggest (in 
terms of degree) irreducible factor. 

Many constructions based on the Brezing-Weng method can be found 
in Section 6 of the survey article [6]. However, only few involve a nearly- 
irreducible y (most of those y are divisible by a power of x). Here, we 
describe a generic construction that is likely to provide nearly-irreducible 
y's. 

4.1 Generic Construction 

Fix an odd prime D and a positive integer k. 
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The extension Q [x] / (r) has to contain primitive k til roots of unity; 
the simplest choice is therefore to consider a cyclotomic extension. 

So, let us put r = Q^e for some integer e to be determined. Let Co be 
a primitive D th root of unity; the Gauss sum 

shows that, for \/—D to be in Q[x] / (r), the product ke may be any 
multiple of eD where e = 4 if —1 is a square modulo D, e = 1 otherwise. 

Therefore, we can use the following setting for the Brezing-Weng 
method: 

1. Choose an odd prime D and a positive integer k. 

2. Put e = 4 if —1 is a square modulo D, e = 1 otherwise. 

3. Choose a positive integer e such that eD \ ke. 

4. Choose a positive integer / relatively prime to k. 

5. Put r = z = x e f . 

6. Use the expression 

ke D ~ 1 ( i \ 
V — .D = x~ ^ ( — j i 4 b mod r 

i=i ^ ' 

for the computation of y in the Brezing-Weng method. 

As the latter polynomial is of large degree, it can be expected to be 
quite random once reduced modulo r. Therefore, it is likely to be nearly- 
irreducible and so the polynomial y given by the Brezing-Weng method 
might also be nearly-irreducible. 

To support this expectation, we have computed 5 := where m 

is the biggest irreducible factor of y = ^ (z — 1) y/—D, the polynomials 
for z and \J — D being given by the above algorithm. There are 4670 valid 
quadruplets (D, k, e, /) G {1, . . . , 20} 4 (i.e. for which D is an odd prime 
and eD \ ke); the following table gives the number of valid quadruplets 
in this range leading to values of 5 with prescribed first decimal. 
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0.0 


0.1 


0.2 


0.3 


0.4 


0.5 


0.6 


0.7 


0.8 


0.9 


1.0 




79 


27 


51 


72 


26 


309 


388 


320 


807 


1127 


1464 



We see that, in this range, more than 70% of valid quadruplets lead to a 
y-polynomial whose largest irreducible factor is of degree at least 0.8 deg y. 



10 



4.2 Examples 

Generic Construction. Let D = 3, k = 9, e = 1 and / = 4. 

The Brezing-Weng method outputs the polynomials 

p(x) = l (x 8 + x 7 + x 6 + x 5 + 4x 4 + x 3 + x 2 + x + l) 
y (x) = | (x 4 + 2x 3 + 2x + l) 

which represent a family of elliptic curves with p- value 1.333. 

To generate a cryptographically useful curve from this family, we look 
for an integer x such that p (x) is a prime, r (x) is nearly-prime and 
y (x) is an integer; we also have to make sure that p (x) k and r (x) are of 
appropriate size for both security and efficiency. 

Many such x's are easily found by successive trials; for instance, in the 
integer interval [2 27 ; 2 28 ] , there are 58812 of them, which is only 6 times 
less than what a pair of independent random number generators would 

228 _„ 

be expected to achieve (calculated as J 227 log ); for slightly more than 
a fifth of these, y (x) has a prime factor in the integer interval [lO 4 ; 10 6 ] , 
which can therefore be used as n in our algorithm. 
For example, let us put x = 134499652; we have 

p(x) = 35698341005790839038787210375794\ 
985673959363094188344177147207303 
r (x) = 3 • 1973357221157926680445163219766947256676055062891 
y (x) = 419 • 153733 • 1693488567670454571754477 

If we choose n = 153733, the discriminant is — 3 - 153733 2 and has class 
number 51244; computations give a Weierstrass equation for the curve: 

Y 2 = X 3 + 18380344310754022726680092877438\ 
217394215740605269665898315768997X 
+ 3541158719057354715243251263604\ 
83038157372705450329206494776897 

Sporadic Families. Our improvement requires families with nearly- 
irreducible y's which is why we described a generic construction that 
is able to generate such families for various parameters (D,k). However, 
for a few specific parameters, there are sporadic constructions with good 
p- values that also feature nearly-irreducible y's, and our improvement 
produces curves with larger discriminants without changing p- values. 
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To illustrate this, let us consider the Barreto-Naehrig family [1] which 
features the optimal p-value of 1 for parameters D = 3, k = 12 and 

p (x) = 6 2 x 4 + 6 2 x 3 + 4 • 6x 2 + 6x + 1 
r ( x ) = 6 2 x 4 + 6 2 x 3 + 3 • 6x 2 + 6x + 1 
y (x) = 6x 2 + 4x + 1 

For instance, if x = 549755862066, we have 

p(x) = 3288379836712499477504831531496220248757101197293 

r (x) = 13 • 61 • 4146758936585749656374312380967431265034293149 

y (x) = 151579 • 11963326366170669619 

If we choose n = 151579, the discriminant is — 3 - 151579 2 and has class 
number 50526; computations give a Weierstrass equation for the curve: 

Y 2 = X 3 + 983842331478040932232760138380470085419271212296X 
+ 2848148112127026939825061113251126889450914939726 
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